Security Not Spartan at MSU
MICHIGAN STATE UNIVERSITY, which has grown considerably since its founding in 1855, comprises 660 buildings spread over approximately 3,200 acres. These house everything from classrooms and faculty offices to a major credit union. The university has the largest college housing complex in the nation, with 23 undergraduate halls, one graduate hall, and three apartment villages—all part of the total number of buildings. In addition, the campus, located in East Lansing, includes 2,000 acres that are planned for future development. Another 15,000 acres across Michigan are allocated for agriculture and forestry research by MSU students.
There are 11,000 faculty members, support staff, and other employees, who together make it possible for the university to offer its 200 programs of study. Taking advantage of these programs are more than 45,000 students hailing from all 50 U.S. states and 125 other countries.
Until the late 1990s, the university was operating on an old fire and access control system that had been installed in the 1960s. The system was basically one alarm panel that monitored two or three locations, such as the credit union located on campus. The panel connected to an intercom at the university police station. There were fewer than ten of these alarms on campus.
By the late 1990s, this system was literally falling apart.
Something—either an upgrade or a total replacement—had to be done. Even if the security division had wanted to expand the existing system, the manufacturer did not have the capacity to handle MSU’s needs, so the access control and security division of the university police department set out to find an entirely new system for a program that would initially be limited in scope but would be expanded in the future.
The decision to replace the alarm system coincided with a major fire and with requests from campus customers for alarm monitoring. For the most part, these requests came from financial units or other groups that dealt with money, such as the campus bookstore. Following is a look at how the system needs were assessed and the lessons learned from the installation process, which is now in its final stages. We’ll start with the fire that served as the agent of change.
It all started on New Year’s Eve, 1999, when IT and university police staff members at MSU sat in the police station and waited. They had done all they could to ensure that Y2K would not disrupt the university’s computer system, but no one really knew what would happen when the clock ticked past midnight.
The security division had a bigger problem, though. Across campus a fire was raging. Members of the Earth Liberation Front (ELF) had set fire to a professor’s office. (ELF publicly took credit for the fire but, to date, no one has been charged.)
An audible alarm was sounding, but with all attention focused on the arrival of the new millennium, there was no one around to hear it. The lack of an alarm feed to the police station meant that the fire was well underway before the university police knew the fire had been set.
The fire resulted in more than $400,000 in damages to the historically important Agriculture Hall, one of the oldest buildings on the MSU campus. The disaster also highlighted a serious shortfall in campus safety and security: It showed that the existing security system was inadequate.
The security division at first put out a bid for a relatively small upgrade. It sought an access control and fire alarm system that would replace the ten existing fire alarm sensors and the panels that controlled them and add 30 access control readers. Security ultimately selected Siemens. The manufacturer had experience with access control systems at other universities and already maintained the environmental controls on the MSU campus, and it came in with the lowest bid. The security division was ready to seal the deal in the summer of 2001.
Then the events of 9-11 changed everything. “The whole idea of central monitoring and looking at security as a whole became a campuswide issue,” says Denni Kraft, systems coordinator at the university and manager of the project. Instead of going ahead with the small access control project, the university decided to assess security on the entire campus to see what vulnerabilities existed.
With regard to fire alarm systems, the concern, as highlighted by the fire, was lack of notification. Any new system would need to ensure that university police would also be notified of alarms. In this way, police would serve as a backup and would contact maintenance in case of alarms. This procedure would ensure that the alarm was noticed and responded to.
The assessment found a different concern with access control. Each university department made its own arrangements with local access control alarm monitoring companies. Each department also separately bid out access control contracts.
As a result, there could be four or five different vendors providing security services within one building. The same was true of computer labs and student housing complexes. Any individual building could bid out its access control needs. No central oversight or coordination occurred.
The assessment thus revealed the need to do much more than upgrade equipment. The project also needed to reorganize how security systems would be handled in the future. Departments with standing contracts with outside firms were allowed to keep them for the time being, with the caveat that, when the contracts expired, those facilities would be moved onto the larger system controlled by the security division.
This meant that the initial project would include 60 buildings; the others would be phased in when contracts expired. With this in mind, MSU did not want to commit to a certain number of access control points, so the security team set out to get the most expandable system possible.
After reviewing the systems on campus, the security division discussed the philosophy of access control with department heads and administrators. (Security refers to these end users as clients.) One factor surfaced as a paramount concern: Because faculty, staff, and some students work in numerous buildings, they wanted one card for all functions. This feature was, therefore, set as one of the primary objectives, and it became part of the new bid proposal. MSU wanted a system in which one card could serve as an access control card, parking card, and library card.
Another issue had to do with the nature of the academic community. Because MSU is a major research institution that is open all hours of the day and night, it needs strong security, but the access control system could not be too difficult to use. “Our mission is to protect the university community,” says Kraft. “We wanted to craft a system that could protect clients and property but allow academic freedom.”
Bidding the Project
With all of these factors in mind, the security division was ready to send the project out for bid. In addition to specific functionality, it noted that dependability, quality, and ease of installation were all key. The bid was for a total access control system, plus motion detectors. The bid also specified that the system would have to accommodate a range of time schedules and allow operators to manipulate the openings and closings of buildings. Given the size of the project, there were only a few vendors that would be qualified to bid.
When all of the bids were assessed, Siemens, which had been selected earlier for the smaller-scale fire system upgrade, was again the winner. Security met with the company and set an ambitious goal. They wanted to have the system planned out and ready for installation in a few months. However, security hit an unexpected snag. Because of 9-11, everyone from the students to the dean was newly interested in security.
This meant that the project was slowed down by repeated requests for meetings, an abundance of input, and interest in new technology. “In the end, the planning stage took more than a year,” says Kraft.
But there was an upside to this involvement. The discussions led to a consensus about centralization. Any request for outside service would in the future be directed to the security division, says Kraft.
The input from students and faculty also led to some additional security enhancements being added to the project. These included glass-break sensors and panic buttons in selected locations.
The installation process proved to be a challenge. Most of the buildings on campus are old and are from numerous eras, thus widely varying in their construction. This diversity presented difficulties for installers. For example, some of the oldest buildings have three-foot-thick walls.
Given this situation, it was decided that the installation should be carried out by the university’s in-house engineering staff, rather than by a contractor. This approach turned out to be more time-consuming but resulted in a high-quality installation.
The success was due in part to the extra training that engineering and maintenance staff undertook before the installation. Some of the electricians from the physical plant went through training with Siemens and became certified to work on the equipment.
The training has also allowed the university to bring all maintenance in house. At first, this was a more expensive option, but the benefits were high. For example, security is now able to prioritize issues on the fly, rather than scheduling a contract worker for each issue.
Having in-house installation also made it easier to deal with the most challenging part of the process: retrofitting old alarms. Around 40 antiquated alarm systems were still installed around the campus. Security had to retrofit those old systems and move them to the new system without causing any interruption in alarm monitoring.
The planning took several months. The new door alarms had to be installed before the old equipment was replaced, and all of the people using the system had to be trained before the swap. After getting all the equipment assembled, in-house engineers mounted the new alarm panels alongside the old ones and switched each system over one by one, all in the same day.
The final system comprised more than 400 card readers and more than 4,000 alarm points, including motion detectors, panic buttons, and glass-break sensors. All told, these alarm points are used to monitor 60 buildings on campus. The remaining buildings will be moved over to the Siemens system as current access control contracts expire.
Access control points. For those buildings that are alarmed, each access control point has a specific set of components. The Wiegand card readers that are installed on the outside of the buildings have no keypads and require only a proximity card to enter.
Each of the interior points designated as warranting an internal layer of added security has a card reader with a keypad attached to the reader. The keypads serve as an additional layer of protection for access to specific interior doors, such as those to laboratories. (The external doors of many buildings are left open during the day because they are open to the public.)
Specific locations also have motion detectors, panic buttons, or glass-break sensors. For example, one high-profile building on campus has more than 150 glass-break sensors. Other alarms include door-contact alarms and “request to accept” alarm points—these are activated to let someone exit through an armed door.
By the end of the year, the last portion of the access control system will be underway. The university plans to install access control on the external doors of all campus buildings that are not already in the system.
Over the next two years, access control will be added to the remaining 600 campus buildings as appropriate. In the new phase at least three external doors will be alarmed for each building. The doors that faculty, staff, and students use after hours will be equipped with card readers. All other doors that are open during the day will be equipped with electric strikes so that they can be unlocked remotely.
The new phase of the system will allow security to lock and unlock the doors on each building according to a schedule, replacing an old manual procedure in which three employees, known as university lockers, were charged with opening the doors in all the buildings. This meant that if 40 buildings needed to be unlocked by 8:00 a.m., many had to be open by 6:00 a.m. to meet the deadline, leaving them vulnerable to intruders.
Staffing/Monitoring. All of the access control alarms are monitored centrally by the university police. Ten campus police cadets staff a 24-hour service desk in overlapping shifts. Dispatching is not done on campus, however. There is a central dispatch service for the university and surrounding towns. This service was contracted for in the early 1990s and is still in place.
Controllers were added to the fire alarm system. These controllers notify the security department when there is a fire alarm. Security serves as redundant monitoring for the fire alarm system, not the first line of defense, because the university police are not UL certified.
The main monitoring function is performed by the MSU physical plant, which was monitoring the alarms before the upgrade as well. (The physical plant is also in charge of the maintenance of all of the fire alarm equipment.) However, the university police do monitor the annunciator panels in each building for smoke, fire, mechanical trouble, and water flow caused by sprinkler systems. Security can then contact the person who would deal with each issue, such as the fire department or the physical plant. This setup is intended to prevent a repeat of the type of incident cited at the beginning of the article, where security was unaware of a fire on campus.
The system also alarms locally. When an alarm is triggered, a strobe light goes on and a horn sounds at the location where the alarm was set off.
The entire system communicates on a secure network, known as VLAN. The VLAN works off the university’s network but is a secured segment of the network backbone. This configuration helps keep the access control system more secure because the routers are programmed to keep the security traffic separate from that of other users.
Security faced additional challenges in scheduling opening and closing times of buildings, working with building staff, as well as issuing student access control cards each semester.
With so many different users, the administration of the system has been a challenge for security. For example, a building that is open to the public may need to open at 8:00 a.m. and close at 5 p.m., making the locking and unlocking process simple. The faculty who work in another building might have a schedule that changes each week, or a department head may want to have an impromptu staff meeting at 7:30 p.m. It quickly became apparent that, for the system to work properly, security needed to continuously interact with the occupants of each space.
Kraft went client by client to assess everyone’s needs. She knew that interpersonal contact was the only way to make the system work. In these initial meetings, Kraft established contacts with a core of individuals from each building who had knowledge of the day-to-day operations of the building—usually an administrative assistant rather than the head of the department, for example.
Kraft made it clear that only these people could request access control changes. The requested changes, such as adding or deleting names from the access control lists, can initially be made over the phone, but they must be followed up in writing to ensure that no mistakes have been made.
During the initial meetings, Kraft also established emergency procedures for each building or client. These procedures would come into play if there was an emergency and the building or area needed to be locked down.
Any unique situations were also noted. In a science complex, for example, a fire in a lab can have numerous ramifications. Not only should the area be locked down, but the names of chemicals or other materials used in that lab must be made available to the fire department. Security keeps and updates all of this information.
Card issuance. The main classrooms do not require an access card for entry. Thus, most students don’t need cards. (Dorms currently have their own access control systems but, as previously noted, will be moved over to the Siemens system as equipment becomes obsolete and contracts expire.)
Approximately 5,000 students do have to carry access control cards. These are mostly graduate students and Ph.D. candidates, who often have offices and research facilities. The administrative challenge is to make sure that these access privileges are kept up to date. All of these changes are made through the head of each department at the beginning of each semester.
Maintenance. When the university made a commitment to the program, it also made a promise to maintain it. One person was charged with starting the project, but now three full-time employees are responsible for its upkeep. Anyone hired to work on the project must have an extensive knowledge of the facility and be schooled in law enforcement procedures. In return, these employees are paid a competitive salary.
The new system’s capabilities were put to the test last year when a graduate student reported that his research documents had been stolen from a laboratory by a colleague. The security division provided the records maintained by the access control system to the university police.
University police interviewed suspects identified as those who had been in and out of the laboratory at the given time. During the course of those interviews, the perpetrator, a fellow student, confessed. The case helped to drive home the value of a security system that has been carefully selected and the importance of adequate staff training and proper investigative follow up.
Teresa Anderson is a senior editor at Security Management.